Bug#1013320: shim: Issues with RSA 4096 in MOKList certificates
Source: shim
Version: 15.4-7
Severity: normal
Hi,
I was trying to follow
https://wiki.debian.org/SecureBoot#MOK_-_Machine_Owner_Key to be able
to sign my locally built kernels (especially for debugging purposes).
As I already have a signing setup using my OpenPGP smartcartd, and I
prefer not having the private key on the same system as the code to be
signed, I tried to use the signature key on my smartcard to generate an
autosigned certificate, then import that certificate to the MOKList
using the steps described in the wiki.
Unfortunately, while importing the key itself (mokutil --import + the
step after reboot) works, after that shim freezes when loading the
grubx64.efi image (according to debug logs with mokutil --set-verbosity
true).
In order to rule out any issue with the smartcard setup, I used the
exact steps described in the wiki, replacing rsa:2048 by rsa:4096 in the
key generation. The same behavior is exhibited, so it really looks like
RSA 4096 is not totally supported in shim.
What's weird is when using the boot menu on my laptop and trying to load
fwupdx64.efi, it somehow tries to load grubx64.efi and fwdupx64.efi and
this time it manages to load properly, so there's definitely something
fishy here.
The test were done on a LENOVO Thinkpad X280 laptop with latest
firmware. If you need more information, please ask!
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.18.0-2-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: